Hi,
I work with a web application that implements a pretty tight CSP and we are
seeing some odd behavior related to use of the <APPLET> tag. It seems like
no matter how strict our CSP is (Content-Security-Policy: default-src
'none'; object-src â€˜noneâ€™;), all three major browsers (Chrome, Firefox and
Safari) still let applets load when using the <APPLET> tag. It also looks
like Firefox allows applets to load through <EMBED> tags when the type
attribute is set to â€œapplication/x-java-appletâ€